## API gotchas
-   From the scopes page, make sure to select scopes based on the APIs you enabled earlier when setting up the app.
-   Under certain circumstances, Google expires a user's refresh token and the token refresh in Nango will fail. You can find a [list of reasons from Google here](https://developers.google.com/identity/protocols/oauth2#expiration), including:
1.   The user has [revoked your app's access](https://support.google.com/accounts/answer/3466521#remove-access).
2.  The user changed passwords and the refresh token contains Gmail scopes.
3.  The user account has exceeded a maximum number of granted (live) refresh tokens.
4.  The user granted [time-based access](https://developers.google.com/identity/protocols/oauth2/web-server#time-based-access) to your app and the access expired.
5.  If an admin [set any of the services requested in your app's scopes to Restricted](https://support.google.com/a/answer/7281227#restrictaccess).
6.  For [Google Cloud Platform APIs](https://developers.google.com/identity/protocols/oauth2#gcp) - the session length set by the admin could have been exceeded.
7.  In "Testing" mode with an external user type, refresh tokens expire in 7 days unless only basic scopes are used — userinfo.email, userinfo.profile, openid, or their [OpenID Connect equivalents](https://developers.google.com/identity/protocols/oauth2/scopes#openid-connect). You can remove this 7-day limit by switch from Testing to Production. Follow step 6 in the [Setup Guide](#setup-guide) above.
8.  Google allows up to 100 refresh tokens per account per OAuth client ID; new tokens overwrite the oldest without warning when the limit is reached.
-   While setting up the OAuth credentials, the _Authorized JavaScript origins_ should be your site URL (`https://app.nango.dev` if you're testing from the Nango UI).
-   For applications using sensitive or restricted scopes, Google requires verification and a security assessment. This process can take several weeks to complete.
-   Google's OAuth consent screen has different configurations for "External" and "Internal" user types. Internal is only available for Google Workspace users and limits access to users within your organization.
-   Google implements incremental authorization, allowing you to request additional scopes over time without requiring users to re-authorize all previously granted scopes.
-   Google enforces [rate limits](https://developers.google.com/workspace/admin/reports/v1/limits) on API requests, which vary depending on the specific API being used.
